The Institute of Internal Auditors, Doha Chapter recently held a webinar on cybersecurity.
Addressing the webinar, Matt Kinsey, chief information security officer for IT Fusion, an IT management company located in southeast Florida said, "The cyber-attack footprint has changed. Has your security profile changed to match? Cybercriminals are no longer operating in their basements. Today, they are sophisticated operators that rival the structure of major corporations. Businesses should enable the layers of security needed and identify where they are over-spending and where they are often lacking. Companies can improve the security profile often with little to no additional cost."
According to Palo Alto Networks, the average demand for a ransomware incident was $2.2mn, with an average payout of over $540,000. The ransomware payments hit new records in 2021 as cybercriminals increasingly turned to Dark Web ‘leak sites’, where they pressured victims to pay up by threatening to release sensitive data.
The most affected industries were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.
The tactics have changed over the last few years. Modern cybercrime attacks often involve transferring data from a compromised system. The criminal groups then threaten to make this data available for sale via the dark web, which increases their chance of receiving a payout.
"This requires a comprehensive approach to cybersecurity that covers all seven security layers, from the human element to critical assets. It also requires implementing a trusted cybersecurity framework based on ISO 27001 and ISO 27002 international standards," stated Kinsey.
Based on his experience, Kinsey says that most companies overspend on endpoint protection and underspend on application security measures.
There are several steps that companies can take immediately to increase their security posture. These include e-mail filtering to protect systems from phishing attacks sent via e-mail, application whitelisting to protect from both known and unknown threats, and multi-factor authentication to provide additional verification of an end-user identity.
He emphasised the need to conduct a security audit as the first step so companies can determine their risk, allowing them to create a plan to address those risks. This should be a business-driven project involving IT and information security staff, not an IT project for the most effective solution.
According to Palo Alto Networks, the average demand for a ransomware incident was $2.2mn, with an average payout of over $540,000. The ransomware payments hit new records in 2021 as cybercriminals increasingly turned to Dark Web ‘leak sites’, where they pressured victims to pay up by threatening to release sensitive data.
The most affected industries were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.
The tactics have changed over the last few years. Modern cybercrime attacks often involve transferring data from a compromised system. The criminal groups then threaten to make this data available for sale via the dark web, which increases their chance of receiving a payout.
"This requires a comprehensive approach to cybersecurity that covers all seven security layers, from the human element to critical assets. It also requires implementing a trusted cybersecurity framework based on ISO 27001 and ISO 27002 international standards," stated Kinsey.
Based on his experience, Kinsey says that most companies overspend on endpoint protection and underspend on application security measures.
There are several steps that companies can take immediately to increase their security posture. These include e-mail filtering to protect systems from phishing attacks sent via e-mail, application whitelisting to protect from both known and unknown threats, and multi-factor authentication to provide additional verification of an end-user identity.
He emphasised the need to conduct a security audit as the first step so companies can determine their risk, allowing them to create a plan to address those risks. This should be a business-driven project involving IT and information security staff, not an IT project for the most effective solution.